Vulnerability Description
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freeradius | Freeradius | >= 0.9.3, <= 3.0.25 |
Related Weaknesses (CWE)
References
- https://freeradius.org/security/PatchVendor Advisory
- https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64aPatchThird Party Advisory
- https://freeradius.org/security/PatchVendor Advisory
- https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64aPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/06/msg00030.html
FAQ
What is CVE-2022-41860?
CVE-2022-41860 is a vulnerability with a CVSS score of 7.5 (HIGH). In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check f...
How severe is CVE-2022-41860?
CVE-2022-41860 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41860?
Check the references section above for vendor advisories and patch information. Affected products include: Freeradius Freeradius.